Improving Security in Utility Networks with Mass Device Administration

In today’s connected world, over-the-air updates, monitoring, and management are must-have features – especially for remote locations. However, for businesses like utilities that require secure connectivity, remote access can be a challenging requirement. In this webinar presented by experts from Digi and Sierra Nevada Corporation’s Binary Armor, we review how secure remote connectivity is possible, even in highly regulated industries.

Please take a moment to complete the form below and gain instant access to this recorded webinar.
 cover page

Recorded Webinar

Improving Security in Utility Networks with Mass Device Administration

Nov 08, 2023 | Length: 56:32

In today’s connected world, over-the-air updates, monitoring, and management are must-have features – especially for remote locations. However, for businesses like utilities that require secure connectivity, remote access can be a challenging requirement. In this webinar presented by experts from Digi and Sierra Nevada Corporation’s Binary Armor, we review how secure remote connectivity is possible, even in highly regulated industries.

Digi Remote Manager® allows secure access to connected devices anywhere, anytime. And when combined with a containerized Binary Armor security solution on top of the Digi TrustFence® security framework integrated into Digi industrial cellular routers, utilities can rest assured that their data is protected.

Connect with Digi

Want to learn more about how Digi can help you? Here are some next steps:

 

Follow-up Webinar Q&A

Thank you again for attending our session with Binary Armor and Digi International on improving security in utility networks. If you have additional questions, be sure to reach out.

Moderator: Nikki Chandler, Executive Editor, T&D World

Presenters: 

  • Kyle Shepard, Chief Engineer of Cyber Programs, Sierra Nevada Corporation’s Binary Armor
  • Joshua Flinn, Senior Product Manager, Digi Remote Manager, Digi International

Does this only track logging into the serial port on the Digi device, or does it also track the logins to the devices connected via serial to the Digi device?

Kyle: The way that this works is that the dashboards that we showed here were just logging of logins to the Binary Armor agent, and who is making changes. When you start to track logging of the logins to the device, Binary Armor does also have that capability, where, because we do that full content inspection, and we're looking at all the data over the serial port, we can then take that information and detect when there is a login action occurring and send out an alert or a log for that specific action being taken.

So, that's a big benefit of when you put Binary Armor into this capability, as you start growing, the initial is, "Hey, turn on the serial port. Turn off. Let me know when there's data going through." Once you get comfortable with that, you can start adding that additional feature set, to say, “hey, I want to know when someone logged in, or when someone did a write command, or when someone changed the setting of a particular point in my actual logic controller.” So, that capability is there. We didn't show it today.

Josh: Yeah. From the Digi Remote Manager side, we're able to do the same thing, right? So, we can see when somebody is logged into a Digi device, or connected to a Digi device through Remote Manager, on top of that, when they've accessed the serial port from that device. That's kind of where our monitoring stops, and one of the reasons we partnered with Binary Armor is for the exact reason Kyle just gave. So, we can show that somebody accessed the serial point, but we don't really know what they did, or how long they were connected, how much data they sent through, anything like that. So, while we can provide some basic visibility, the partnership with Binary Armor really took that to the next level, to provide the insights that our customers were looking for.

How do you provide authorized users capability and MFA for protocols like GOOSE and DNP?How do you provide authorized users capability and MFA for protocols like GOOSE and DNP?

Kyle: So, the way that we do that, as you grow into the additional capability, is that Binary Armor has its own user tracking capability that you use. I'll get a little nerdy here.

We use your public key infrastructure standards, and you pass us a certificate. We check that certificate when you're logging into the device, to give you access to that data port for the control. So, it's done at the network level, to log in, to perform those more advanced actions over a temporary time frame. We have in our road map to do it by individual connection level, but it's a way for us to handle it at a lower level on the network, to say, "This person that's accessing has authenticated to say that the system is running in a mode that lets them perform those actions on DNP3, and that's all handled with multi-factor authentication.

How do you collect logs from legacy devices?

Kyle: The way that you do that with legacy devices is through the serial port. So, when you start talking about old protocols, you have the ability — by inspecting the data — you can then infer what information to pull out that would be of importance. So, a common one, Modbus RTU, you know what controls are going to and from the device, you know when you're reading coils, writing coils. You can then say, for your security posture, "Hey, when I see write coils, let's pull that data out, send a log, and feed that back.” So, Binary Armor has already done a lot of that work with standard protocols, to be able to then grab the information out, and generate the logs that the device wouldn't necessarily do because it wasn't designed to do that from the beginning.

Does Binary Armor only work with a Digi server?

Kyle: So, the Binary Armor application — and this is a benefit to how Digi has done their integration — works through “containers.” If you can run a software container environment, you're able to run Binary Armor.

And on the flip side, if you've developed software containers, you are able to then use those in your Digi servers, assuming that when you go out to an edge compute device, you're not going to have your very high-powered Intel, like an Intel 8-core Xeon.

So, there's understanding resource constraints when you do that type of extreme edge computing. If you have a container environment, you can run Binary Armor. And then, if you have containers, you have the opportunity to be able to put them into the Digi container ecosystem.

Can Binary Armor support protocols that are not native to the container, such as scripting?

Kyle: I may have to follow up for clarification on that one a little bit. So, a lot of our focus on the protocols are your network and your serial protocols. So, common ones are Modbus DNP3, BACnet, GOOSE. And then, there's a wide number of protocols that we support over on the aerospace side of the house. So, when you have data traveling over the wire, we're able to look at it.

Our technology can be transferred to look for potential scripting. We do have tools to handle, if you're sending plain text over the wire, we can look at that plain text and see if it makes sense. It's not historically been where people have used the product, so that capability is there, but it hasn't...I don't have as many real-world examples of it being in operation in that capacity.

This participant says they're not familiar with the Digi serial device in the presentation, but they're wondering if these Binary Armor capabilities are available on the Digi cellular products and modems.

Josh: Absolutely. So, Binary Armor, or the container service, particularly, that Binary Armor runs on, is available on any device running our Digi Accelerated Linux operating system. So, anything running DAL OS. We do have devices that are specifically designed for doing the use case that we brought up, with just serial connections, or some sort of serial server, but as you know, most Digi cellular routers also contain a serial port that you're able to connect to another device using those. So, yes. Binary Armor and containers are available on any Digi device running DAL.

Kyle: Yes. And to answer a little more directly off that, Josh, is that Digi Connect® EZ 4i is one of the cellular modem products. So, it does have a cellular modem in it. We have pulled that modem out when we worked with our municipal utility, because they didn't want to have a cell modem connection for that particular network. It's actually a challenge when you start working with legacy, but when you start going to modern IoT deployments, this is a container capability that is available on all of the cellular modem products.

Can other computer ports be monitored?

Kyle: Yes. So, with the integration with the Digi, you have primarily network and serial, so we can monitor both the network protocol as well as the serial protocol, with the one that we've used in particular. That doesn't limit us to just those ports. If you have other ports that you would be interested in, would be happy to follow up with details on what you're trying to accomplish.

Are the containers that you're talking about Docker containers?

Josh: Actually, no they're not. So, we implemented the Linux Container Service, which is a slightly different path. However, on our support pages, and if you contact our support team, our professional services team, we do have instructions on how to convert Docker containers into LXC containers, so you're able to still use the same applications.

Do you do the bulk firmware app upgrade only for Binary Armor, and the containers on it, or for the underlying devices as well?

Josh: We have the capability to update the firmware and the OS on the Digi devices, as well as updating the software for Binary Armor, any of the containers. What we don't have the capability of doing directly from Digi Remote Manager is updating the firmware on the devices that are connected serially to the device. Ideally, in these situations, and what we've been talking about is we provide the access, in a secure way, to get to that device, so you can do firmware upgrades. But the Digi Remote Manager platform will not handle the upgrades of the devices that are connected to a Digi device. I don't believe Binary Armor has that capability either, but I could be wrong.

Kyle: No, we do not. We can just report when someone says what firmware version it is, you can receive information in your logging that there's an out-of-date device, to help give you that insight. You would need to go and perform that update to that connected device yourself.

With all the functions available, could it be a good option for a dedicated team to perform functions only, and only a full health check?

Josh: I think, from the question you're trying to ask, it's always good practice to separate functions, or areas of responsibility, if your organization supports it. So, in Digi Remote Manager, you can absolutely set up full admins. You can set up users. You can set up read-only users, so if you have a set of users that just need to go in and make sure everything's functioning well, or they just need to run reports, things like that. If that's all the access they need, then that's what you should give them. You never give anybody more access than they require. I believe Binary Armor and their system has the same capabilities.

Kyle: Yes. So, that's the goal with our multi-factor authentication. Just like Digi, everyone's moving to role-based access control, so if you want to have a dedicated team that's doing all of the work, and we're tracking that one team to keep it simple, if that makes sense for your organization, great. If not, and you want to have multiple tiers of personnel, that have different access levels, you can do that both in Digi Remote Manager as well as in Binary Armor, so that only certain people are allowed to adjust the state of how Binary Armor is running to allow or disallow certain operations.

When considering a secure architecture for utilities, what do you anticipate being the biggest challenge?

Kyle: I actually see a lot of the challenge is in policy and organization. So, when I say policy, there are a lot of requirements and standards and certifications that, when you go into an operational technology network, that’s competing with a lot of your security best practices.

The best example that I have is — I'm going to jump to aircraft for a second here. You have FAA certification of making sure the plane can fly, and that your code is certified so that the plane can fly, and then you have security that wants you to be continuously patching every quarter. FAA certification takes longer than a quarter, so how do you balance those competing priorities?

Those types of policy challenges are some of the largest challenges to work through. And then, when you start talking organization, when I go back to talking about how, in the corporate network, it's well-understood, your CISO and your CIO, they are working together, they've had to work together, in a lot of cases, until recently, the CISO's been the CIO, that is a well-understood relationship. When you start talking with operations, there is a lot of, "I don't want security touching my operations network. What if it breaks?"

So, the way that you try to account for those challenges is, for one, you can't swing one direction or the other fully, right? You know, security can't come in and say, "Hey, do quarterly patches," because the response is just going to be "no." And then, on the flip side, operations can't say, "Hey, security, get out of my space. I'm just going to keep my network vulnerable."

And, so, working together to get tailored approaches, and then really starting to dive into what makes the most sense for the organization, and then being able to layer in the technologies as it makes sense, and start small.

So, this is more to the security side of the house; don't go straight to locking yourself out with a bunch of policies. Put in some monitoring, see what's on the network. Once you're comfortable with that, you can add in some additional insights. You can add in more detailed enforcements. And then you can start taking automated response and active protection, which is where, for you to properly secure a network like this, you need to be able to actively protect against a threat, because someone is going to attack you, at machine speed, you need to respond to it. You can't go straight to that. You need to start small and grow as you gain confidence in your security solution.

How do you build that confidence that your security solution is working effectively?

Kyle: A lot of it is time and engagement. So, for a perfect example, if you put the Binary Armor access control capability on a network, you're not doing much to automatically block. You are starting to get some basic insights.

Once you see value in those insights, then you can start turning on more features in Binary Armor. We have the ability in Binary Armor to do active blocking, and forcing read-only modes, even some very detailed changing states, requiring someone to have a hotline tag on a system before you let any changes happen. All of that gets more and more complex and more and more detailed, so it goes back to that starting small and then working with tech tools that have been validated through a lot of your existing authority. So, national labs, doing things like DoD accreditations, DOE accreditations, trying to go to those stable products that have already been tested out in the field.

Can you elaborate on how Digi Remote Manager's centralized approach simplifies compliance with security standards like GDPR or HIPPA?

Josh: With any type of security standards or external audits, or even internal audits, those types of capabilities, when you're talking about hundreds or thousands of devices, trying to implement those compliance standards on those devices individually, one at a time, would be a full-time job for probably an entire team of people. On top of that, the simple fact of making sure those devices are adhering to those compliances, it's not humanly possible for somebody to log in and look at every device, and make sure it's good.

So, when you take a centralized approach in doing mass device management, you can really manage at a network level instead of a device level. And that is really where you find the efficiencies and you’re able to really scale to hundreds or thousands of devices. Along with that, inside Digi Remote Manager, you can very simply find those security standards that apply to those different security protocols, or those security standards. So, Remote Manager, or any management platform, really, is key when it comes to complying to any type of standard.

How does did Digi Remote Manager facilitate secure over-the-air updates, and what advantage would that bring?

Josh: That is a great question. One of the key things when it comes to security on your network is keeping your firmware up to date, because every day, new security vulnerabilities are found in software. And being able to quickly deploy those out to the field is really a requirement. Digi Remote Manager allows you, in a few clicks, to update your devices, over the air, over your cellular network, a wired network, whatever the connectivity is, you can quickly update all of those devices in a group. And on top of that, know whether or not the upgrade succeeded.

So, one of the downsides, when you're doing this one-off process is you kick off an update and then you move on to the next one, because you're trying to be efficient, and sometimes, those updates fail, right? We're talking about cellular networks. They're not 100% reliable. And if you don't know that it failed, and you never go back and check, you could have systems out there that are running old firmware, that have those vulnerabilities in them.

That's really the key point. And when you're talking about a centralized management platform, and we talked about the productivity and the ability to create groups and things like that, it also gives you the capability to manage that quickly and easily, when that firmware comes out. Because. while it's important to do security patches, it's also important that your network is still functioning. So, you have the ability to update one, two, or a handful of devices, make sure that the firmware doesn't break your users' connectivity, doesn't break the network, it doesn't take things down, things like that, and then, from there, you can roll it out en masse. So, it really allows you, with the centralized platform, to optimize your workflow, to give you a good balance between security and usability.

Assuming the Binary Armor container can be loaded on any device, or they're assuming that it can be loaded on any device running a Linux OS, is monitoring limited to serial communications only?

Kyle: No. So, it's actually any data bus protocol that you want to support. We do serial, very common, when you start talking to serial servers in Digi. We also do a lot of work with IP traffic. So, our existing device is mostly IP that people use it for. So, any type of Ethernet, cellular, wireless, monitoring traffic going on, on that type of interface. And then, we even get into much more interesting applications. So, when you start talking about getting into aircraft and space vehicles, there's a lot of additional protocols there, like ARINC 429, MIL-STD-1553, a lot of other just off-the-wall, completely different protocols that we have supported with the product. So, the capability is agnostic. Doesn't have to be serial. We do a lot with IP. A lot of people are going to IP, so, makes sense. And if there are any other protocols or physical layers that you're interested in, happy to talk more about which ones you're looking at.

Do OTAs require a device restart? In this person's situation, if the device requires a restart, they need to have a technician on site. So, can you guys speak to that?

Josh: From the Digi side, if you use Digi Remote Manager to update a Digi device, since it's actually a firmware-level upgrade, it does require the device to restart. That being said, Remote Manager has the capability of restarting devices remotely, and then monitoring to make sure they come back up. So, perhaps, with Remote Manager, we can eliminate that need to have a technician on site for every location. But I suggest you reach out to your Digi representative, and we can talk about your specific example, and see if there's a way we can help.

Kyle: Yes, and to go off of that a little bit, that's specifically for Digi firmware. With the Digi containers that you run, you can restart without having to physically restart the device. Configuration updates that you do within Digi do not require a restart, so it's really specifically when there's a firmware update for the Digi itself where you would need to look at that workflow. So, a lot of what you do does not require a restart. Ultimately, when you have to do a firmware update on a hardware device, that will require a restart for the changes.

Okay. Kyle, you mentioned access control as a key feature. But what if a customer or a utility is looking for other insights about their OT endpoints?

Kyle: Yes. So, the access control capability, we see as a great starting point to being able to properly secure these types of connected devices. So, it gives you that basic, who has access? Who doesn't? Turn on, turn off. I kind of alluded to some of the advanced features of Binary Armor, where, as you gain that confidence in the network, you can start stepping up your protections. So, as you start looking for additional insights, you can start tailoring your rule sets from just the basics, to say, “Hey, I really care about certain operations. Let's make sure we're getting that data out, without necessarily mirroring all of the data back to a central reporting section.” So, it really depends on the need of the user, and then, as you start walking through, you can start adding in operation workflows to say, “Hey, are you operating and following the right procedure? If I'm changing a feeder line. Are you grounding, ungrounding? Have you done the hotline tags? Are you doing the procedures that you are supposed to?”

So, there are a lot of additional features that you can add on as you gain that confidence, and a lot of it is related to device-specific information. Larger-scale anomaly detection, as you start feeding it back to an analytics platform, it's really, this gives you a starting point to really grow into other insights.

How does centralized management help in quickly identifying and isolating security threats?

Josh: That is an excellent question. So, there are a few things here. One of the things that having centralized management gives you the capability to do is, first of all, baseline your network.

Most of the time, you're going to find vulnerabilities or places where your network has been compromised due to abnormal behavior on your network, abnormal traffic, traffic spikes, things like that. So, first you have to baseline your network. You have to understand: How is your network functioning? What is it doing? What does a normal month look like? What's a normal day look like? Those types of things.

Then, from there, you can set up alerts that will point out things like: This device is sending twice as much traffic as it normally does. For this particular device, we see a new protocol that we've never seen on the network before. Those are the types of things that you get to see.

So, with Digi Remote Manager, you know, the analytics piece that we talked about, with the dashboard you’re able to see how that data is being utilized. And then also, capabilities like intelliFlow, which is the ability to monitor specific TCP and UDP ports on your devices, to make sure that the traffic patterns and things are within your standards, within your normals. Being able to watch hundreds of thousands of devices, though, again, not humanly possible. You need some help in that capability.

And then, with Remote Manager, you can even go a little bit farther with setting up things like configuration templates, and automations and stuff, so that the system can take some actions on its own, even without human intervention, besides just alerting.

When you use the word “network,” do you refer to the network data communication, or are you sometimes referring to a network like a power, electrical network?

Kyle: Apologies. I am almost exclusively referring to your IP network, or your communication network. As far as power, power grid, power electrical network, I don't think I've been mentioning that, so, it's all been related to that communication network.

Josh: Yeah. It's the same for me, Kyle. Coming from a network background, or an IT/IP network background, yes — anytime I say "network," that's what I'm referring to, is a communications network.

Josh, can you discuss how Digi Remote Manager helps in minimizing human error, which is often a major security vulnerability?

Josh: Yes. We've touched on this a couple times, of that being the biggest vulnerability to any communication network, is the human element. And Digi Remote Manager really minimizes those issues through two major functions, the first one being configuration templates. So, rather than individually configuring a lot of devices, you can set up a template, and then apply that template to devices. On top of that, Remote Manager regularly checks those devices to make sure that their config matches that template. So, if somebody goes in and a device is having a problem —  for example, the device has some sort of error or problem, and there's traffic being blocked, any number of things — a technician will log into that device, they do some troubleshooting, they change some things, and they open some holes in the firewall. They're trying to figure out how to make it work. When they figure out the problem, they don't necessarily put the configuration back to the way it was before. Or even if they remember to, they may have changed dozens of different settings, and remember everything they changed and setting it back, that's difficult.

So, with the templates, and Digi Remote Manager’s capability, whenever it checks that device next, it says “hey, this is out of compliance.” It can put that template back to the way it was. So, that eliminates one of the human errors.

The other feature that Digi has is something we call automations. So, there are regular, routine tasks that you need to do on the network sometimes. And sometimes they can be very tedious. And when you're doing tedious work, humans can lose focus, and we can make mistakes. We all do it. Machines are much more reliable in that sense. So, setting up automations to do those regular, repetitive, kind of mind-numbing tasks, can also eliminate a lot of those human errors.

What are the most common challenges companies face when transitioning to a centralized management system, and how does Digi Remote Manager address them?

Josh: One of the great things about Digi Remote Manager is Digi devices are built from the ground up to talk to Remote Manager. Straight out of the box, they try to connect. They may not be in there. So, if you already have a Digi network deployed, and you're not using Remote Manager, if you decide to go to centralized management, you sign up for a Remote Manager account, and you get the seats, those devices are still trying to connect to Remote Manager. So, it's very easy to move them into the system. And, with Digi Professional Services, with our support team, we can help our customers do that. Some of the biggest challenges, though, are if you haven't been using Remote Manager, and you've been using some other process for managing those devices, whether it's scripting, running your own servers — those kind of things — a lot of times, what you've done with your own management system or those scripting services are already built into Remote Manager. So, once you connect the device, changing your workflows, your workflows actually become easier. The system was built specifically for managing these devices.

Download Digi IX40 5G Datasheet
Introducing our newest industrial router

Have a Question? Connect with a Digi Team Member Today!